[nycbug-talk] RADIUS experiences

Peter Wright pete at nomadlogic.org
Tue May 23 15:08:44 EDT 2006 

> Hi All,
>
> I'm wondering if anyone here has experience with RADIUS servers?  I'm
> setting one up for a fun project (wireless captive portal), and not
> all that exited about using FreeRADIUS- lots of unanswered questions
> in my brain...
> That stated, my concerns are with ease of management, and redundant
> replication for high-availability.
>
> I'm basically concerned about scale issues-
>
> 1) For a network of 300-5000 users, do the standard unix /etc/
> password files scale sanely?  I mean, the docs have this as the
> default config for user db, which is a type of data backend I'd
> usually have in some other kind of DB.  It just seems like a recipe
> for poor scalability.
>

yea i would be worried about this too, aside from scalability but i would
be concerned about curroption of the password table and security issues as
well.

> 2) LDAP backends?  Is this common practice? (I'm concerned about over-
> complexity)
>
aside from the initial learning curve of setting up an ldap environment we
seem to have pretty good success using LDAP+RADIUS for our wireless and
remote access networks.

> 3) SQL backends?  Is this common practice? (Again, concerned about
> over-complexity)
>
> 4) Custom RADIUS implementations- RADIUS is more or less just a
> protocol, with defined parameters for how it manages the big AAA.
> Since it's the data backend I'm concerned about, (and know a lot
> about how to deal with), I'm thinking of just implementing a simple
> RADIUS server on top of databases I know and love?  I've found a good-
> looking RADIUS library in Python, my favorite language, and I was
> thinking of rolling my own server with a tiny, easily replicatable,
> Python embedded DB.  It seems the simplest route to me, but I'm
> hesitant because I feel there may be best-practicices for heavy
> RADIUS users?  (ISP's, Telcos, anyone managing remote AAA)
>
> Any thoughts, URLS, as always are much appreciated!
>

I'm familiar with LDAP so i'll lean that way.  There are plenty python and
perl libraries to make scripting ldap easy...and frankly ldap is just a
database anyway.  Although ramping up on LDAP may be a pain a SQL RDBMS
sounds a little heavy for this solution.  or...you could use berkeleyDB
;^)

-p

-- 
~~oO00Oo~~
Peter Wright
pete at nomadlogic.org
www.nomadlogic.org/~pete
310.869.9459

More information about the talk mailing list